A New Standard Emerges
The terms SSAE 16 and SAS 70 have been used quite extensively in the auditing world as of late, and for good reason. Statement on Auditing Standards No. 70, known simply as SAS 70 to many, is nearing the end of its lifespan after approximately 19 years of service. Since its inception in April of 1992, the US auditing standard gradually grew to become the global de facto framework used for reporting on controls at service organizations. From Canada to the Far East and Argentina to Australia, SAS 70 and its local derivative, became a well-known, widely used, and universally accepted audit mechanism that provided assurance to a large and ever-growing pool of user entities.
But as all things come to pass, Statement on Standards for Attestation Engagements (SSAE ) No. 16, known as SSAE 16, has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Its purpose was to replace an aging SAS 70 standard that needed to be refreshed, but more importantly, one that would keep pace with the growing push towards more globally accepted international accounting standards. Thus, SSAE 16 was born in 2010, an “attest” standard that closely mirrors its international “assurance” equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC). Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
A look at SSAE 16 vs. SAS 70 can be seen as a natural modifying evolution of the dated standard and a transition of power from one governing accounting principle authority to another. The old guard is being replaced, and with that comes new ideas, requirements, and a fresh approach to compliance reporting on controls at service organizations and the responsibilities of the service organization being audited.
So, what are the differences between SSAE 16 and SAS 70? Let’s address the more notable points, as these constitute the “must know” issues for developing an initial understanding of the new standard. Sure, there are numerous technical differences, but they may have a marginal impact, if any, on the application of the standard, the underlying SSAE 16 engagement, so these issues may be left to the auditors, such as us.
Audit vs. Attest
As an initial point of nomenclature, SSAE 16, unlike SAS 70, is an “attest” standard, falling under the attestation framework, and not that of the “auditing” framework, which is the origination of the SAS 70 standard. According to the AICPA, when examining ones’ controls at a service organization, this should not be considered an audit, rather, it should fall under the “attest” standards, hence the name Statement on Standards for Attestation Engagements (SSAE) no. 16. The term “audit” is expected to be reserved in accounting standards for use in relation to financial statement auditing standards.
Description of a "System" vs. Description of "Controls"
Also important to note are the new reporting requirements set forth by SSAE 16 and how they differ from that of the SAS 70 auditing standard. First, SSAE 16 requires a description of the “system”, whereas SAS 70 only called for a description of “controls”. Stressing the term “only” because shortly after the SSAE 16 standard was released, practitioners have largely agreed that the description of the term “system” can be seen as a more expansive and detailed requirement when compared to that of the SAS 70 description of “controls”. In fact, the SSAE 16 standard (published in 2010) provides details and illustrations of subject matter that should be included as part of the description of the “system”. Thus, it’s fair to assume that service organizations who undertook SAS 70 compliance in the past will have to thoroughly re-examine their prior description of “controls” for ensuring it meets the true intent of the SSAE 16 description of the “system.” A competent, well-qualified CPA firm may be able to assist you in this matter.
Written Assertion by Management
Another significant item regarding SSAE 16 vs. SAS 70 is that the SSAE 16 standard requires a written “assertion” by management, something that was never required for the SAS 70 auditing standard. This written assertion, which is also commonly known as “management’s assertion,” the “service organization assertion,” or similar term as applied in a given context, is essentially an assertion made by the service organization that must be provided to the service auditor (i.e., the CPA firm that is conducting the SSAE 16 engagement) representing and asserting to a number of essential clauses, such as the following:
• The description fairly presents the service organization's "system.”
• That the control objectives were suitably designed (SSAE 16 Type 1) and operating effectively (SSAE 16 Type 2) during the dates and/or periods, as asserted to.
• The criteria used for making these assertions, (which are additional statements with supporting matter regarding risk factors relating to control objectives and underlying controls) were in place (Type 1) and were consistently applied (Type 2).
Additionally, this written assertion for SSAE 16 can either be included in an actual description of the service organization's "system" or even attached to the actual description of the system itself. And because the assertion comes from management of the service organization, it should be expected to be on letterhead of the actual service organization, if attached as a separate document.
Subservice Organization Reporting Requirements
There are also what many practitioners would called “enhanced” reporting requirements relating to subservice organizations when comparing SSAE 16 vs. SAS 70. A “subservice organization” is essentially a service organization that is used by the subject service organization that provides services for the expected user entity. For example, if Company A, a manufacturing company, has hired company B, a payroll company, to perform payroll services, then company A is the user entity and company B is the service organization. If company B outsources the actual check printing and mailing of checks to company C, then company C is the “subservice organization. Thus, one can clearly see the importance that company C plays regarding its services and why the SSAE 16 standard had developed criteria to address this subservice provider issue. Specifically, for purposes of the subservice organization reporting for SSAE 16, the following applies:
• Carve-out Method: When reporting on subservice organization's under this method for SSAE 16, the service organization's description of its "system" is to include the nature of the services performed by the actual subservice organization, but to exclude the subservice organization's control objectives and related controls. However, management of the service organization should include within their description of its "system" what controls are in place for monitoring the effectiveness of controls at the subservice organization.
• Inclusive Method: For this method of subservice organization reporting, the service organization's description of its "system" is to include the services performed by the actual subservice organization, along with the relevant control objectives and related controls of the subservice organization.
Understanding Reporting Dates for the Service Auditor's Report
SAS 70 Type 1 audits reported on controls in place "as of" a specific date, whereas Type 2 audits reported on controls in place "as of" a specific date AND the operating effectiveness of the controls over a period of time, usually ending in relation with the same “as of” date. Henceforth, the SSAE 16 will evolve to report on the system, related controls, and operating effectiveness all covering the same period of time. The intent should be that the SSAE 16 provides a report on the overall relevant aspects of the service organization’s system, with its compliment and interaction of controls, including changes in controls as expressed over the period of time covered by a Type 2 and the operating effectiveness of the system, with its regimen on controls.
A Final Word on SAS 70 and SSAE 16 "Certification"
You've probably heard phrases such as "SAS 70 Certified", "SAS 70 Certification" or similar language from any number of people or organizations. The simple truth is that there was, and is, no such thing as a "certification" for SAS 70, and the same holds true for the new SSAE 16 standard. SAS 70 became more prominent with the passage of the 2002 Sarbanes-Oxley Act, resulting in scores of service organization having to become compliant with the SAS 70 reporting standard. This rush to fill the needs of these very service organizations quickly resulted in all types of incorrect phraseology being used to validate one's SAS 70 reporting. Practically speaking, a service organization becomes "compliant" with the auditing standard (SAS 70) or the new attest standard (SSAE 16) for which practitioners (i.e., auditors conducting the engagement) are using for reporting on controls. This "certification" phrase seemed to really irk the American Institute of Certified Public Accountants (AICPA) over the years, so much so that they actually addressed this very issue and other concerns in a four (4) page FAQ titled: "FAQs-New Service Organization Standards and Implementation Guidance".
Lastly, the SSAE 16 report is considered an auditor-to-auditor communication of the service organization’s system and is not intended to purport that a service organization has achieved an objectified defined standard for a system.